Security Vulnerabilities Decline in Number, Increase in Danger: HP

The number of disclosed software vulnerabilities continues to fall, but the risk level of those that are around is climbing, HP says in its latest security report.

Hewlett-Packard officials are saying that the number of vulnerabilities in commercial applications is continuing to fall, dropping almost 20 percent between 2010 and 2011.

However, while the downward trend in vulnerabilities is good news, the risks involved in those vulnerabilities is growing, and cyber-attacks themselves more than doubled in the second half of the year, according to HP s 2011 "Top Cyber-Security Risks Report," announced April 19.

The report also outlined an evolving security landscape, including hacker motivation such as with hackativist groups like Anonymous and LulzSec, that use attacks in retaliation for perceived wrongs rather than for financial gain and the attack techniques, which are leading to more successful security breaches.

So the number of vulnerabilities may be falling, but it s not really a good indication of risk, Jennifer Lake, security product marketing manager for HP DVLabs, told eWEEK.

According to HP's numbers, there were 6,843 disclosed vulnerabilities in 2011, compared with 8,502 in 2010. However, that only accounts for commercially available software and not for custom-made applications, Lake said. The tech vendor gets its figures from HP DVLabs Zero Day program, the HP Fortify Application Security Center Web Security Research Group, data from deployed HP TippingPoint Intrusion Prevention Systems and the Open Source Vulnerability Database.

The numbers for 2011 compare with about 11,000 vulnerabilities disclosed in 2006, when the figures reached their peak. They began declining after that year. HP officials point to a number of reasons for the decline, including the growth of a private market for sharing vulnerabilities and the rising number of custom-built Web applications, which in turn has created a market for exploits unique to that software that call for particular skills to locate and deal with.

HP's Lake stressed that while the numbers of disclosed vulnerabilities may be falling, the level of risk is growing. The percentage of high-risk vulnerabilities--those with a severity rating between 8 and 10--jumped 7 percent, to 24 percent of all vulnerabilities, she said. Those are the kinds of vulnerabilities that need to be patched immediately because they can result in a remote code execution, the most dangerous type of attack in which an attacker can gain control of a compromised system.

So even though there may be smaller numbers of vulnerabilities being disclosed, "the ones that are out there are particularly nasty," Lake said.

Other findings in the report include that 36 percent of all vulnerabilities disclosed are in commercial Web applications, and that about 86 percent of Web applications are vulnerable to injection attacks, where hackers gain access to the internal databases via a Website. In addition, Web exploit kits continued to be popular in 2011. HP pointed to the Blackhole Exploit Kit, which officials said is used by most hackers and hit an infection rate of more than 80 percent in late November 2011.

Mark Painter, product manager with HP Fortify, said that a key way to address the issue of software vulnerabilities is for developers to run security tests of the application throughout the development lifecycle, rather than simply waiting until the application development process is completed.

"Application security has been a pervasive need because applications are pervasive, Painter said in an interview. They're everywhere. Security needs to be a process. It needs to be baked in, not just brushed on."